Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Blather does not authenticate existing user #151

Open
distler opened this issue Oct 24, 2015 · 9 comments
Open

Blather does not authenticate existing user #151

distler opened this issue Oct 24, 2015 · 9 comments

Comments

@distler
Copy link

distler commented Oct 24, 2015

Here's a simple blather script which sends a message to a user:

#!/usr/local/bin/ruby
require 'blather/client'

c = setup '[email protected]', 'XXXXXX'
when_ready do
  write_to_stream Blather::Stanza::Message.new("[email protected]", "Spoons!")
  c.close
end

As I understand the documentation, Blather should first attempt to authenticate as the user 'my_user' and then, if authentication fails, it should attempt to use in-band registration to register 'my_user' as a new user.

With ejabberd 15.09, that's not what happens:

...
D, [2015-10-23T17:05:20.529019 #59219] DEBUG -- : RECEIVING (stream) 
<stream:stream xmlns:stream="http://etherx.jabber.org/streams" id="3314227897" from="myhost.com" version="1.0" lang="en"/>
D, [2015-10-23T17:05:20.529454 #59219] DEBUG -- : RECEIVING (features) 
<stream:features xmlns:stream="http://etherx.jabber.org/streams">
  <c xmlns="http://jabber.org/protocol/caps" hash="sha-1" node="http://www.process-one.net/en/ejabberd/" ver="rBEUwDwH04kFUO/cy54wsfBQW4A="/>
  <register xmlns="http://jabber.org/features/iq-register"/>
  <mechanisms xmlns="urn:ietf:params:xml:ns:xmpp-sasl">
    <mechanism>PLAIN</mechanism>
    <mechanism>DIGEST-MD5</mechanism>
    <mechanism>X-OAUTH2</mechanism>
    <mechanism>SCRAM-SHA-1</mechanism>
  </mechanisms>
</stream:features>
D, [2015-10-23T17:05:20.530168 #59219] DEBUG -- : SENDING: (/usr/local/lib/ruby/gems/2.1.0/gems/blather-1.1.4/lib/blather/stream/features/register.rb:22:in `receive_data') 
<iq type="set" id="blather0002">
  <query xmlns="jabber:iq:register">
    <username>my_user</username>
    <password>XXXXXX</password>
  </query>
</iq>
D, [2015-10-23T17:05:20.605633 #59219] DEBUG -- : RECEIVING (iq) 
<iq from="myhost.com" id="blather0002" type="error">
  <query xmlns="jabber:iq:register">
    <username>my_user</username>
    <password>XXXXXX</password>
  </query>
  <error code="403" type="auth">
    <forbidden xmlns="urn:ietf:params:xml:ns:xmpp-stanzas"/>
  </error>
</iq>
D, [2015-10-23T17:05:20.606274 #59219] DEBUG -- : SENDING: (/usr/local/lib/ruby/gems/2.1.0/gems/blather-1.1.4/lib/blather/stream.rb:248:in `stop') 
</stream:stream>
D, [2015-10-23T17:05:20.607104 #59219] DEBUG -- : RECEIVING (end) 
<stream:end xmlns:stream="http://etherx.jabber.org/streams"/>

Note: here, the 403 is because in-band registration is disabled for remote clients. On localhost, where in-band registration is permitted, one gets instead

D, [2015-10-24T12:24:33.845268 #9832] DEBUG -- : RECEIVING (iq) <iq from="localhost" id="blather0002" type="error">
  <query xmlns="jabber:iq:register">
    <username>my_user</username>
    <password>XXXXXX</password>
  </query>
  <error code="409" type="cancel">
    <conflict xmlns="urn:ietf:params:xml:ns:xmpp-stanzas"/>
  </error>
</iq>

because the user 'my_user' already exists.

@benlangfeld
Copy link
Member

Before I dive in, do #106 #114 help with this at all? Also, does any older version of ejabberd work?

@distler
Copy link
Author

distler commented Oct 25, 2015

If I understand correctly, #106 suggests disabling in-band registration server-side. That changes the 409 error to a 403 everywhere. #114 suggests downgrading from blather 0.8.5 to 0.8.4. Dunno about those old versions, but the problem exists with both blather 1.0.0 and 1.1.4.

As to different versions of ejabberd, I believe this problem first arose upon upgrading ejabberd. I'm not sure which version it broke with: it definitely worked in ejabberd 14.07, and definitely not with 15.09 or 15.07. So somewhere in between ... (14.12, 15.02, 15.03, 15.04 or 15.06).

@benlangfeld
Copy link
Member

Since the only way to be sure why this is happening is to figure out which version broke it, and that that may take a while, I'd ask that you do that and let us know as accurately as you can what changed. Working logs for comparison would also help.

@distler
Copy link
Author

distler commented Oct 25, 2015

Disabling (entirely) mod_register in ejabberd did the trick.

@distler
Copy link
Author

distler commented Oct 25, 2015

And, since you asked for a working log, with mod_register disabled, the previous (failing) dialogue is replaced by the working:

...
D, [2015-10-25T11:20:16.652465 #58883] DEBUG -- : RECEIVING (stream)
<stream:stream xmlns:stream="http://etherx.org/streams" id="1688674457" from="my_host.com" version="1.0" lang="en"/>
D, [2015-10-25T11:20:16.652938 #58883] DEBUG -- : RECEIVING (features)
<stream:features xmlns:stream="http://etherx.jabber.org/streams">
  <c xmlns="http://jabber.org/protocol/caps" hash="sha-1" node="http://www.process-one.net/en/ejabberd/" ver="hDdRD9MBiSJYI7jJFK+03IZdSJo="/>
  <mechanisms xmlns="urn:ietf:params:xml:ns:xmpp-sasl">
    <mechanism>PLAIN</mechanism>
    <mechanism>DIGEST-MD5</mechanism>
    <mechanism>X-OAUTH2</mechanism>
    <mechanism>SCRAM-SHA-1</mechanism>
  </mechanisms>
</stream:features>
D, [2015-10-25T11:20:16.653432 #58883] DEBUG -- : SENDING: (/usr/local/lib/ruby/gems/2.1.0/gems/blather-1.1.4/lib/blather/stream/features/sasl.rb:102:in `authenticate')
<auth xmlns="urn:ietf:params:xml:ns:xmpp-sasl" mechanism="DIGEST-MD5"/>
D, [2015-10-25T11:20:16.730856 #58883] DEBUG -- : RECEIVING (challenge)
<challenge xmlns="urn:ietf:params:xml:ns:xmpp-sasl">XXXXX=</challenge>
D, [2015-10-25T11:20:16.731165 #58883] DEBUG -- : CHALLENGE DECODE: {"nonce"=>"XXXX", "qop"=>"auth", "charset"=>"utf-8", "algorithm"=>"md5-sess"}
D, [2015-10-25T11:20:16.731420 #58883] DEBUG -- : CHALLENGE RESPONSE: {:nonce=>"\"XXXXX\"", :charset=>"utf-8", :username=>"\"my_user\"", :realm=>"\"my_host.com\"", :cnonce=>"\"XXXXXXXXX\"", :nc=>"00000001", :qop=>"auth", :"digest-uri"=>"\"xmpp/my_host.com\"", :response=>"XXXXXX"}
D, [2015-10-25T11:20:16.731493 #58883] DEBUG -- : CH RESP TXT: nonce="1784290425",charset=utf-8,username="my_user",realm="my_host.com",cnonce="XXXXXX",nc=00000001,qop=auth,digest-uri="xmpp/my_host.com",response=XXXXXXXX
D, [2015-10-25T11:20:16.731728 #58883] DEBUG -- : SENDING: (/usr/local/lib/ruby/gems/2.1.0/gems/blather-1.1.4/lib/blather/stream/features/sasl.rb:168:in `respond')
<response xmlns="urn:ietf:params:xml:ns:xmpp-sasl">XXXXXXXXX</response>
D, [2015-10-25T11:20:16.732935 #58883] DEBUG -- : RECEIVING (challenge)
<challenge xmlns="urn:ietf:params:xml:ns:xmpp-sasl">XXXXXXXX==</challenge>
D, [2015-10-25T11:20:16.733096 #58883] DEBUG -- : CHALLENGE DECODE: {"rspauth"=>"XXXXXXXX"}
D, [2015-10-25T11:20:16.733279 #58883] DEBUG -- : SENDING: (/usr/local/lib/ruby/gems/2.1.0/gems/blather-1.1.4/lib/blather/stream/features/sasl.rb:168:in `respond')
<response xmlns="urn:ietf:params:xml:ns:xmpp-sasl"/>
D, [2015-10-25T11:20:16.963775 #58883] DEBUG -- : RECEIVING (success)
<success xmlns="urn:ietf:params:xml:ns:xmpp-sasl"/>
D, [2015-10-25T11:20:16.964024 #58883] DEBUG -- : SENDING: (/usr/local/lib/ruby/gems/2.1.0/gems/blather-1.1.4/lib/blather/stream/client.rb:12:in `start')
<stream:stream to='my_host.com' xmlns='jabber:client' xmlns:stream='http://etherx.jabber.org/streams' version='1.0' xml:lang='en'>
D, [2015-10-25T11:20:17.016610 #58883] DEBUG -- : RECEIVING (stream)
<stream:stream xmlns:stream="http://etherx.jabber.org/streams" id="532141347" from="my_host.com" version="1.0" lang="en"/>
D, [2015-10-25T11:20:17.016957 #58883] DEBUG -- : RECEIVING (features)
<stream:features xmlns:stream="http://etherx.jabber.org/streams">
  <c xmlns="http://jabber.org/protocol/caps" hash="sha-1" node="http://www.process-one.net/en/ejabberd/" ver="hDdRD9MBiSJYI7jJFK+03IZdSJo="/>
  <bind xmlns="urn:ietf:params:xml:ns:xmpp-bind"/>
  <session xmlns="urn:ietf:params:xml:ns:xmpp-session"/>
  <sm xmlns="urn:xmpp:sm:2"/>
  <sm xmlns="urn:xmpp:sm:3"/>
  <csi xmlns="urn:xmpp:csi:0"/>
</stream:features>
D, [2015-10-25T11:20:17.017483 #58883] DEBUG -- : SENDING: (/usr/local/lib/ruby/gems/2.1.0/gems/blather-1.1.4/lib/blather/stream/features/resource.rb:39:in `bind')
<iq type="set" id="blather0002">
  <bind xmlns="urn:ietf:params:xml:ns:xmpp-bind"/>
</iq>
D, [2015-10-25T11:20:17.153549 #58883] DEBUG -- : RECEIVING (iq)
<iq id="blather0002" type="result">
  <bind xmlns="urn:ietf:params:xml:ns:xmpp-bind">
    <jid>my_user@my_host.com/3568922531445790017153082</jid>
  </bind>
</iq>
D, [2015-10-25T11:20:17.153832 #58883] DEBUG -- : USING JID: my_user@my_host.com/3568922531445790017153082
D, [2015-10-25T11:20:17.154075 #58883] DEBUG -- : SENDING: (/usr/local/lib/ruby/gems/2.1.0/gems/blather-1.1.4/lib/blather/stream/features/session.rb:40:in `session')
<iq type="set" id="blather0004" to="my_host.com">
  <session xmlns="urn:ietf:params:xml:ns:xmpp-session"/>
</iq>
D, [2015-10-25T11:20:17.154677 #58883] DEBUG -- : RECEIVING (iq)
<iq type="result" from="my_host.com" id="blather0004"/>
D, [2015-10-25T11:20:17.155930 #58883] DEBUG -- : SENDING: (/usr/local/lib/ruby/gems/2.1.0/gems/blather-1.1.4/lib/blather/client/client.rb:153:in `write')
<iq type="get" id="blather0006">
  <query xmlns="jabber:iq:roster"/>
</iq>
...

@benlangfeld
Copy link
Member

If you have a working log with mod_register enabled on an older version of ejabberd, I'd love to see that also.

@distler
Copy link
Author

distler commented Oct 25, 2015

Sorry, but that won't be particularly easy.

Still, it's clear what's going on:

  • When ejabberd includes a <register xmlns="http://jabber.org/features/iq-register"/> among its features, blather responds with a <query xmlns="jabber:iq:register"> request.
  • When ejabberd does not include that line, blather responds with an <auth xmlns="urn:ietf:params:xml:ns:xmpp-sasl" mechanism="DIGEST-MD5"/> request.

I think blather ought to try an <auth ... /> request, first, no?

@benlangfeld
Copy link
Member

Yes, it should. Do you fancy submitting a failing spec to show the issue?

@uranio-235
Copy link

the same problem with prosody here, I'm unable to disable registre module

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants